Russ Allbery wrote: > > Is it a bad thing to use IP literals as Kerberos principals?
> Well, it poses a problem for domain to realm mappings, as you've seen. > > However, I am curious. When I try to "ssh u...@10.14.134.5", a very > > strange ticket is being requested from the KDC: > > 2010-12-13T09:14:15 TGS-REQ suda...@sibptus.tomsk.ru from > > IPv4:10.14.134.125 for krbtgt/14.13...@sibptus.tomsk.ru > > 2010-12-13T09:14:15 Server not found in database: > > krbtgt/14.13...@sibptus.tomsk.ru: No such entry in the database > > 2010-12-13T09:14:15 Failed building TGS-REP to IPv4:10.14.134.125 > > What exactly is "krbtgt/14.134.5" ? Why only the last 3 octets of the > > address? > Kerberos implementations tend to assume that they're dealing with > hostnames, so their algorithm of last resort to figure out what realm > should be used to contact a host is to get rid of the part before the > first period (the "hostname") and hope the rest is a Kerberos realm. This > obviously doesn't work with IP addresses, so you get the above failed > attempt at a cross-realm authentication to a weird realm. I still don't quite understand why it should try to contact a weird realm while I have [libdefaults] default_realm = SIBPTUS.TOMSK.RU in /etc/krb5.conf. Shouldn't it request a ticket for host/10.14.13...@sibptus.tomsk.ru by default? > If you add an explicit domain_realm mapping for each IP address to the > [domain_realm] section of your krb5.conf file, it will probably work, but > it's generally a much better idea to use real host names (possibly in some > private domain ending in .local or some similar marker). I agree in general but DNS is sometimes yet another point of failure. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/4...@fidonet http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos